k8s pack (#974)

panther-labs · Nov 27, 2023 · 0d337ae · 0d337ae
1 parent e9cdd0d
commit 0d337ae
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/packs/kubernetes.yml b/packs/kubernetes.yml
@@ -0,0 +1,22 @@
+AnalysisType: pack
+PackID: PantherManaged.Kubernetes.Core
+DisplayName: "Panther Core Kubernetes Pack"
+Description: This is a group of detections that act on Kubernetes logs sourced from Amazon EKS.
+PackDefinition:
+  IDs:
+    # Kubernetes scheduled queries and rules
+    - Kubernetes.CronJobCreatedOrModified
+    - Kubernetes.DaemonSetDeployed
+    - Kubernetes.IOCActivity
+    - Kubernetes.NewAdmissionControllerCreated
+    - Kubernetes.OverlyPermissivePod
+    - Kubernetes.PodAttachedHostNetwork
+    - Kubernetes.PodCreatedDefaultNameSpace
+    - Kubernetes.PodHostPathVolumeMount
+    - Kubernetes.PodUsingHostPIDNamespace
+    - Kubernetes.PodUsingIPCNamespace
+    - Kubernetes.PrivilegedPodCreated
+    - Kubernetes.SecretEnumeration
+    - Kubernetes.ServiceTypeNodePortDeployed
+    - Kubernetes.UnauthenticatedAPIRequest
+    - Kubernetes.UnauthorizedPodExecution